Hello, I will keep this short and brief. If one attempts to use the WebView control to load the following page:
https://revoked.grc.com/ The page is loaded, SSL handshake completes successfully, and it is displayed and no exceptions are thrown (e.g. webView.getEngine().getLoadWorker().getException() is null) and the WorkerState goes to Worker.State.SUCCEEDED. However, the certificate of this page is indeed revoked. I understand that the WebView uses HttpsUrlConnection under the covers, and so I did some googling about OSCP/CRL (which are certificate revocation protocols, for lack of a better term). It seems that OSCP can be enabled via: Security.setProperty("ocsp.enable", "true"); and, as a fallback, CRL can be enabled via: System.setProperty("com.sun.security.enableCRLDP", "true"); However, neither of these make any difference in regards to the successful outcome posted above. One really disgusting workaround to this problem would be to write a TrustManager (which is extremely difficult in my estimation, and prone to error) that checks for certificate revocation (by using, for example, the sun.security.provider.certpath.OSCPChecker class) but since there is no way to hook into the validation check of an existing TrustManager, all of the existing functionality would have to be duplicated. Considering the WebView can be used essentially as a browser (especially given the fact that it is based on WebKit) I think this is quite a serious issue (and indeed is a serious issue for my particular application). Has anyone run into this problem and come up with a solution? Is this a known bug? Is there anything I can do to fix it? Thanks very much, -- Michael Ennen
